Who is Reading the WHOIS Review?

The WHOIS directory is meant to be the definitive and publicly accessible list of owners of internet domain names. ICANN is responsible for its management and maintenance. Their main agents in this work are the registries and the registrars.

I have a long-standing (but until last week dormant) interest in WHOIS. I was prompted to revisit this territory by the recent publication of "The WHOIS Review Team Draft Report". I agree the title does not immediately suggest that Jo Nesbø or John le Carré have much to worry about but for those of you with any sort of interest in the politics and history of how the internet developed it is fascinating. Moreover very few documents which deal with such geeky issues are so easy to read and understand. Maybe that is because, at the end of the day, this isn't really a geeky issue at all. It's about things and ideas we take for granted in almost every other walk of life.

Phenomenal level of inaccuracies

The problem with WHOIS is the phenomenal level of inaccuracies which it contains. The inaccuracies arise for several reasons but chief among them is the failure of ICANN to require licensed registrars or their agents to verify the information proffered to them by whoever buys or renews a domain name, at the time that they are doing the buying or the renewing.

Registrars have a general obligation to ensure that the data they collect is accurate. In particular they must investigate complaints they receive about inaccurate data within WHOIS. However, on page 39 of the Report we learn that in 2007 the level of inaccuracy reports about WHOIS was "unacceptably low" and only 10 people accounted for 87% of all of them. But inexplicably, under ICANN's rules, there is no obligation to rescind a registration solely on the grounds that it is erroneous, even if it is clear that the inaccuracy is intentional (p82).
Ineffective measures

The Review Team discusses (pages 37 and 40) some of the measures that are taken to try to minimise inaccuracies, for example, the "Data Reminder Policy", but the report readily and repeatedly acknowledges that the sum total of all of these efforts is vanishing small. Out of a current total of 220 million domain names only 23% are fully accurate. 50 million are OK. 170 million are not. As time goes by and more registrations are added the problem gets worse. If more than three out of every four entries in a database do not comply with its rules I think it probably forfeits the right to be called a database at all.

If it isn't obvious, why is this issue important? The current WHOIS system was established in 1985 and inherited by ICANN when it was established in 1998. ICANN has made repeated statements about the seriousness of its intent to put WHOIS right but it has not happened. The continuing absence of timely, unrestricted and public access to accurate and complete WHOIS information has enabled significant numbers of fraudsters and felons of various sorts to pursue their criminal purposes online.

The cops are categorical

The cops are absolutely categorical. In approaching 100% of the cases where they have to begin a criminal investigation into anything at all involving a dodgy web site the name and address of the owner of the site shown in WHOIS will be false or inaccessible because it is hidden within proxy or privacy services which have grown up willy nilly. This means that, before the police can even get to first base with an enquiry they have to go through a series of other more time-consuming, more expensive procedures.

In other words ICANN's incompetence is costing the police time and money, time and money that wider society can ill afford. And it's not just the police. Think about the vast superstructure of private security Departments inside or contracted to various companies. A significant proportion of their workload can be attributed to the holes created by the shortcomings of WHOIS. I have no doubt at all, even if the cops publicly deny it, this state of affairs means some investigations simply get dropped, or never get started, unless it is obvious that a serious threat to life or limb is involved. The constant buzz of annoying low level online crime, and the associated fear of crime that is part of the background noise of daily life in the 21stCentury, is therefore at least in part attributable to ICANN's self-regulatory failure.

Left hand and right hand

Elsewhere other parts of the internet industry spend millions and millions promoting safety messages, advising us all to be careful when we log on to the internet, to be sceptical about extravagant promises and enticements made on the web. In the ICANN neck of the cyber woods others are providing the gangsters with all possible assistance. You could not make it up.

The high level of inaccuracies is therefore likely to be causing avoidable hardship to the fraudsters' and felons' victims. This undermines consumer trust in the operation of the internet in general and e-commerce in particular. By extension, and here the relevant audience is not internet users as such but governments and potential alternative regulators, the high level of inaccuracies erodes confidence in ICANN as an institution.

Must do better

I think the criticisms the report makes are devastating. They amount to a more or less complete indictment of ICANN's recent leadership and its current methods of decision-making, by which I really mean non-decision-making. If ICANN is unwilling or unable to sort out something of such fundamental importance to the operation of and confidence in the internet what else might be going on or not going on, within its well upholstered walls? Are we safe in their hands?

I have written about this more extensively and in greater detail here should you wish to know more.